[SECURITY] [DLA 1842-1] python-django security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Package : python-django
Version : 1.7.11-1+deb8u6
CVE ID : CVE-2019-12308
Debian Bug : #931316
It was discovered that the Django Python web development framework
did not correct identify HTTP connections when a reverse proxy
connected via HTTPS.
When deployed behind a reverse-proxy connecting to Django via HTTPS
django.http.HttpRequest.scheme would incorrectly detect client
requests made via HTTP as using HTTPS. This resulted in incorrect
results for is_secure(), and build_absolute_uri(), and that HTTP
requests would not be redirected to HTTPS in accordance with
SECURE_SSL_REDIRECT.
HttpRequest.scheme now respects SECURE_PROXY_SSL_HEADER, if it is
configured, and the appropriate header is set on the request, for
both HTTP and HTTPS requests.
If you deploy Django behind a reverse-proxy that forwards HTTP
requests, and that connects to Django via HTTPS, be sure to verify
that your application correctly handles code paths relying on scheme,
is_secure(), build_absolute_uri(), and SECURE_SSL_REDIRECT.
For Debian 8 "Jessie", this issue has been fixed in python-django version
1.7.11-1+deb8u6.
We recommend that you upgrade your python-django packages.
Regards,
- --
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl0abvYACgkQHpU+J9Qx
Hli6HQ//dSBNZSZJu42iLTzaj+4kcmu94/TeP5I9Ov4X9C0xBxMj//BQ0Iu48I8c
x0I7+6TOKYqi3vGafE9KdNkYV/C1HGPsnyohJvSA4YqWEPJ1cq7f3hhpcb31mEB3
ZgCtAEh9tcJ5UcS+P5XBmUOZikheM64G7vvMtK1UvC73e8M4Bbc+K1ie9OL1tebH
/jcPxtPj9aLpz9+g7mIUjGxllSp28NgoiUyhvsRL0iHfT1aFf1SmngHbBPiq8tPz
ZKnAYORTPgUt2GER4p3il23p64xY6BzyhHdHw8cQWCGqWN4x0WeIhre89Ve6eoI4
RT9BMIa43rjgfX3T21KkcSwBWu6pTRHYPwv3d2T6sAxGugLNnlZNLAHRKAXIvLx9
DIRHpe6z0iXEX4rpLXX0Nw5jxglBbv8/38r4TPyece6g3uJqZTbkJcANVfte6z7G
Yw2X7e/JUyQ3QIAxxPQRKvtCf8gmf7x3JzddvQAR+lAc3/+kggoe1v+y3lnKTYUr
R2JNptEN3ZRmYPuzGEEkJtYdIHTNhWHkSAkSTKHC6MIOhWFZzQoy8O5WmZNTd/gU
girJ/ASMlsV6xBnJimTFM+Rl9dgWVQ4SJQLf0qcsh3o9iUK5o1DKFQZ4AG6QZvEW
Ipe/rpzMOoKcS2pztZTE39tLKcQxTvN6dDUKLCRO9WgSINRtWiA=
=pmuj
-----END PGP SIGNATURE-----
Reply to: